Adobe AIR Security
Adobe AIR 1.5 has helped web developers build Rich Internet Applications (RIAs) for the desktop using their web development skills. Adobe AIR is cross platform. The applications developed in Adobe AIR have desktop and web access at the same time. For this reason the security features of Adobe AIR are different than the conventional web or desktop applications. The security measures of Adobe AIR are a combination of security rules of the desktop as well as web applications.
Some of the most significant features of Adobe AIR are:
Adobe AIR requires developers to digitally sign their applications in order to maintain the integrity of the software and the identity of its publisher. The applications can be digitally signed by a Certification Authority (CA) or by constructing a self-signed certificate.
Users choose whether they prefer using the applications certified by the authority or the applications with self-signed certificates by ignoring the vulnerability risks in those applications. If someone is concerned about data and system security then the applications developed by renowned developers or signed by the authorities should be used.
The cross platform security architecture of Adobe AIR is very comprehensive. It allows desktop applications to access the internet while keeping the system secure from different vulnerabilities. The security architecture of Adobe AIR also restricts unauthorized access to the system files through the use of the AIR application. Different levels of security are defined within AIR in terms of Sandboxes. A sandbox acts independently to secure the local file system defined within that particular sandbox from the files residing in other sandboxes. There are defined permissions in each sandbox for the access of each file in the AIR application. Because of this, files within different sandboxes are secure. Also, a malicious code from the web cannot access and destroy the local file system defined within a sandbox.
Different forms of sandboxes in the Adobe AIR architecture are:
Application Sandbox — The files in the application sandbox have full AIR privileges and access to the system. The contents defined in the Application Sandbox have access to the AIR APIs, but the contents in the other sandboxes cannot access those APIs.
Non Application Sandbox – Files downloaded online or from other networks are included in the non application sandbox. This category of sandbox is further divided into subcategories according the set of rules and restrictions for different sorts of file systems. These are: remote, local trusted, local-with-networking and local-with-file system.
For added security the AIR runtime provides the application and user the ability to store data in an encrypted format in a separate location. The format used to store the data is AES-CBC128-bit encryption. With this, the application has the capability to save and retrieve a user’s data on the local hard disk in the encrypted format. That data gets saved from being decoded by other users and the other AIR applications. There is a separate storage area for each users’ encrypted data. Two applications cannot share the same encrypted local store. The local store can be used by applications to store each users’ confidential information separately. The Adobe AIR application uses DPAPI on Windows and KeyChain on Mac OS to associate the encrypted local stores to each user.
There are special restrictions and complex security arrangements for the access of scripts outside the “Application Sandbox” to the contents defined in that particular sandbox. A special mechanism called “Sandbox Bridge” is used by non-application-sandbox files to access the properties and methods of files in the application sandbox. The sandbox bridge does not guarantee security as it totally depends on how the Application Sandbox API’s are exposed to the non-application sandbox while implementing the sandbox bridge. It can be said that the sandbox bridge will expose only the permitted data to outside scripts or files. In this case the scenario is more or less like the client-server model. However, when used correctly, the sandbox bridge can provide applications with an extra layer of security by restricting non-application content from accessing the contents of an application sandbox.
Added care must be taken when allowing dynamic HTML content to access the application layer of Adobe AIR. As the dynamic content may contain functions like eval (), that can create security risks by exposing data within the application sandbox. Such malicious dynamically generated codes can even delete the file system or alter them for continuous spying on the system without the intervention of the users.
The HTML methods can also be used by the non-application sandboxes to generate dynamic code, but they do not have direct access to the application APIs. The sandbox bridge provides limited access to the application APIs by setting up means and restrictions.
From the above overview of the AIR security model, it can be assumed correctly that it is secure for developers and users. Still, common vulnerability risks are present, as they can be there in other applications developed by using any other platform. It is the responsibility of the users and the developers to maintain security by monitoring risks like importing files in the AIR application sandbox, being conscious while using external sources to determine paths and being very careful while storing and transmitting unsecured credentials.
Adobe AIR 1.5 Security Whitepapers, Retrieved Jan 22nd, 2008 from http://help.adobe.com/en_US/AIR/1.5/AIR_security/WS5b3ccc516d4fbf351e63e3d11c0f598475-7ff3.html
- Indian surnames, hindu surnames, origins and meanings
- HTML vs XHTML difference and comparison
- Popular Toll Free number helpline numbers with Names of Companies and Toll Free Helpline Numbers in India
- Association, Aggregation, Composition, Abstraction, Generalization, Realization, Dependency
- REST Vs SOAP, The Difference Between Soap And Rest
- Flex Memory Management and Memory Leaks
- 10 Ways to Skin an App
- Free software and tools, projects using Adobe Air / Adobe Flex Action Script
- Top Companies India
- Difference between WebORB and FluorineFx
|Raghu on My Native Place – (ప్రొద…|
|Thulasiram on My Native Place – (ప్రొద…|
|చేపురుపల్లి కృష్ణ on My Native Place – (ప్రొద…|
|Mohiddin on My Native Place – (ప్రొద…|
|antalya escort on My Native Place – (ప్రొద…|